b'\x0c\x0c             WithumSmith+Brown\n             A Professional Corporation\n             Certified Public Accountants and Consultants\n\n\n\n\nU.S. CONSUMER PRODUCT SAFETY COMMISSION\n\n              Performance Audit of\n Information Technology Investment Management\n\n\n\n\n             September 30, 2012\n\x0c                                                             Prepared by WithumSmith+Brown PC\n                          For the Consumer Product Safety Commission \xe2\x80\x93 Office of Inspector General\n\n\n\n\nTable of Contents\n\xc2\xa0\n\nExecutive Summary ................................................................................................... 1-2\n\nObservations ............................................................................................................. 3-5\n\nRecommendation .......................................................................................................... 5\n\nAppendices            ................................................................................................................ 6\n\n         Appendix A - Background ................................................................................... 7\n\n         Appendix B \xe2\x80\x93 Objectives, Scope, Methodology, and Criteria ........................... 8-9\n\n         Appendix C \xe2\x80\x93 Acronyms and Abbreviations ...................................................... 10\n\n         Appendix D \xe2\x80\x93 CPSC Response......................................................................... 11\n\x0cWithumSmith+Brown\nA Professional Corporation\nCertified Public Accountants and Consultants\n\n\n\n\n8403 Colesville Road, Suite 340\nSilver Spring, Maryland 20910-6331 USA                          September 30, 2012\n301 585 7990 . fax 301585 7975\nwww.withum.com                                                 Ms. Inez Moore Tenenbaum\n                                                               Chairman, Consumer Product Safety Commission\nAdditional Offices in New Jersey\nNew York and Pennsylvania\n                                                               4330 East West Highway\n                                                               Bethesda, Maryland 20814\n\n                                                                                                      EXECUTIVE SUMMARY\n\n                                                               We were engaged by the Consumer Product Safety Commission (CPSC), Office\n                                                               of Inspector General (OIG), to conduct a follow-on performance audit relative of\n                                                               CPSC\xe2\x80\x99s Information Technology (IT) investment management processes, using\n                                                               the Government Accountability Office\xe2\x80\x99s (GAO) Information Technology\n                                                               Investment Management (ITIM) framework. We previously reported on our\n                                                               assessment of CPSC\xe2\x80\x99s ITIM maturity in August 2010. In that report we\n                                                               concluded that CPSC had achieved Stage 1, and outlined 11 specific steps for\n                                                               achieving Stage 2, and we recommended the Chairman of the CPSC direct the\n                                                               Chief Information Office to develop a plan of action and milestones for the\n                                                               completion of the remaining stage 2 processes and subsequent stages.\n\n                                                               The ITIM framework is a maturity model composed of five progressive stages of\n                                                               maturity that an agency can achieve in its information technology investment\n                                                               management capabilities. The maturity stages are cumulative; that is in order to\n                                                               attain a higher stage of maturity, the agency must have institutionalized all of the\n                                                               requirements for that stage in addition to those for all of the lower stages. The\n                                                               framework can be used to assess the maturity of an agency\xe2\x80\x99s investment\n                                                               management processes as a tool for organizational improvement. For each\n                                                               maturity stage, the ITIM describes a set of critical processes that must be in\n                                                               place for the agency to achieve that stage.\n\n                                                               This report presents the results of our work conducted to address the\n                                                               performance audit objectives as specified by the OIG. Our audit objectives were\n                                                               to perform a rigorous evaluation of CPSC\xe2\x80\x99s IT investment management\n                                                               processes in order to determine which of the five progressive stages of maturity\n                                                               in IT investment management capabilities most accurately describes the CPSC\xe2\x80\x99s\n                                                               ITIM framework, and to provide a road map that CPSC can follow to improve its\n                                                               processes. As our report further describes, we identified the following as a result\n                                                               of the work we performed:\n\n                                                               CPSC has continued to take steps to mature its IT investment management\n                                                               processes, and has completed substantially all of the critical practices and key\n                                                               processes described in Stage 2 of GAO\xe2\x80\x99s ITIM hierarchy.\n\n\n\n\nA member of HLB International. A world-wide organization of accounting firms and business advisers.\n\x0c                                                         Prepared by WithumSmith+Brown PC\n                      For the Consumer Product Safety Commission \xe2\x80\x93 Office of Inspector General\n\n\n\nAs a result of these and other activities, we have concluded that CPSC has reached Stage 1 of the five-\nstage IT investment maturity model as defined by GAO. CPSC has implemented most of the key\npractices and critical processes that constitute Stage 2. Based on our assessment, we outlined two\nspecific actions in the Observations section of our report that CPSC needs to perform to achieve maturity\nStage 2.\n\nOur work was performed during the period September 2011 to July 2012. We conducted this\nperformance audit in accordance with generally accepted government auditing standards. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide\na reasonable basis for our findings and conclusions based on our audit objectives.\n\nSubsequent to our audit fieldwork in August 2012, CPSC lost one of its key personnel related to IT\ninvestment management, to another agency. Our audit does not reflect the impact, if any, this loss will\nhave on the IT investment management practices at CPSC, as we have not performed any procedures to\nevaluate CPSC\xe2\x80\x99s responses to this loss. Therefore, there is the risk that this loss could materially affect\nCPSC IT investment management posture.\n\nCPSC management has indicated it has already begun taking steps to address our recommendations\nand is developing plans to further mature certain practices identified in our report.\n\n\n\n\n                                                    2\n\x0c                                                          Prepared by WithumSmith+Brown PC\n                       For the Consumer Product Safety Commission \xe2\x80\x93 Office of Inspector General\n\nOBSERVATIONS\nPrior Assessment of CPSC\nIn our August 2010 report \xe2\x80\x9cPerformance Audit of Information Technology Investment Management\xe2\x80\x9d,\nWS+B reported that CPSC had reached Stage 1 of the five stage investment maturity model as defined\nby the GAO, and that it had implemented several of the key practices and critical processes that\nconstitute Stage 2. We outlined 11 specific actions that CPSC need to perform to achieve Stage 2. We\nrecommended the Chairman of CPSC direct the CIO to develop a Plan of Action and Milestones\n(POA&M) to achieve the remaining Stage 2 processes as well as subsequent stages.\n\nGAO\xe2\x80\x99s ITIM maturity model framework1offers organizations a road map for improving their IT investment\nmanagement processes in a systematic and organized manner. These process improvements are\nintended to:\n    \xef\x82\xb7 improve the likelihood that investments will be completed on time, within budget, and with the\n        expected functionality;\n    \xef\x82\xb7 promote better understanding and management of related risks;\n    \xef\x82\xb7 ensure that investments are selected based on their merits by a well-informed decision-making\n        body;\n    \xef\x82\xb7 implement ideas and innovations to improve process management; and\n    \xef\x82\xb7 increase the business value and mission performance of investments.\n\nGAO\xe2\x80\x99s ITIM is subdivided into a hierarchy. Each maturity stage consists of critical processes that are\ncomposed of a number of key practices. Each of the four maturity stages beyond Stage 1 is a plateau of\nwell defined critical processes. Each stage builds upon the lower stages and enhances an organization\xe2\x80\x99s\nability to manage its IT investments. The five maturity stages represent the steps toward achieving a\nmature, comprehensive ITIM process. Each critical process contains a set of key practices that, when\nfulfilled, implement the critical process needed to attain a given maturity stage. The key practices are the\ntasks that must be performed in order to implement and institutionalize a critical process effectively.\n\nThe five maturity stages are as follows:\n   \xef\x82\xb7 Stage 1 \xe2\x80\x93 Creating investment awareness\n   \xef\x82\xb7 Stage 2 \xe2\x80\x93 Building the investment foundation\n   \xef\x82\xb7 Stage 3 \xe2\x80\x93 Developing a complete investment portfolio\n   \xef\x82\xb7 Stage 4 \xe2\x80\x93 Improving the investment process\n   \xef\x82\xb7 Stage 5 \xe2\x80\x93 Leveraging IT for strategic outcomes\n\nStage 2 of the ITIM Maturity includes five critical processes:\n1) Instituting the Investment Board\n2) Meeting Business Needs\n3) Selecting an Investment\n4) Providing Investment Oversight\n5) Capturing Investment Information\n\n\n\n\n1\n  GAO\xe2\x80\x99s\xc2\xa0Information\xc2\xa0Technology\xc2\xa0Investment\xc2\xa0Management\xc2\xa0(ITIM):\xc2\xa0A Framework for Assessing and Improving Process\nMaturity (GAO\xe2\x80\x9003\xe2\x80\x90\xc2\xa0\n394G)\n\n                                                       3\n\x0c                                                         Prepared by WithumSmith+Brown PC\n                      For the Consumer Product Safety Commission \xe2\x80\x93 Office of Inspector General\n\n\nCPSC\xe2\x80\x99s IT investment portfolio includes seven investments, of which four have been defined as Major\nand three as Non-Major. Below is a summary of funding for these seven investments:\n\n                                                     FY 2010         FY 2011         FY 2012           Total\n     Planning, Development, Capital Spending       $11,795,000     $ 9,908,000      $ 6,711,000     $28,414,000\n     Operations and Maintenance                     12,678,000      12,289,000       14,061,000      39,028,000\n     Total                                         $24,473,000     $22,197,000      $20,772,000     $67,442,000\n\nThe seven investments consist of approximately 24 separate projects.\n\n\nCurrent Assessment of CPSC\n\nWe performed a follow-up independent assessment of CPSC\xe2\x80\x99s ITIM maturity under contract with CPSC\xe2\x80\x99s\nOffice of Inspector General (OIG). We found that CPSC had accomplished almost all of the additional\nkey practices and critical processes of Stage 2. Some of the key new investment management activities\nwe found during our review that CPSC has implemented include:\n\n1.    A full business case per OMB requirement developed for the CPSRMS investment and a new\n      investment, CPSC International Trade Data System (ITDS).\n\n2.    The Investment Review Board (IRB) was trained on IRB\xe2\x80\x99s portfolio decision making and budgeting\n      processes in April and May 2011, as part of the IT portfolio \xe2\x80\x9cRating and Ranking\xe2\x80\x9d processing, leading\n      to the finalization of the agency\xe2\x80\x99s FY 2012 IT portfolio.\n\n3.    Approved changes to the IRB membership in December 2011 based on CPSC organization changes\n      in July 2011.\n\n4.    CPSC has formally documented its IT investment process in the CPIC Guide, which includes\n      policies and procedures for selecting new IT proposals.\n\nBased on our assessment, we noted that CPSC had satisfactorily completed Stage 1 and had\nimplemented 37 of the 38 key practices within the five critical processes defined as Stage 2. There is one\nkey practice that CPSC had not fully implemented:\n\n1)       Meeting Business Needs\n         Integrated Project Teams (IPT) including representative end-users have been implemented on\n         the ITDS, CPSRMS, and CPSC.gov Redesign Projects. However, we noted that CPSC has not\n         yet included end users on all projects within the remaining major investments including\n         Infrastructure and CIS.\n\nThe following table summarizes our evaluation of the status of CPSC\xe2\x80\x99s achievement of the five critical\nprocesses representing maturity stage two:\n\n                          Table 1: Summary of Maturity Stage Two Critical Process Ratings\n                                                                                  Key       Key Practices\nCritical Process                    Rating                                     Practices      Executed        %\nInstituting the Investment Board    Implemented                                    8              8         100%\nMeeting Business Needs              Not implemented, but improvements underway     7              6          86%\nSelecting an Investment             Implemented                                    10            10         100%\nProviding Investment Oversight      Implemented                                    7              7         100%\nCapturing Investment Information    Implemented                                    6              6         100%\nTotal                                                                              38            37          97%\n\n\n\n                                                      4\n\x0c                                                        Prepared by WithumSmith+Brown PC\n                     For the Consumer Product Safety Commission \xe2\x80\x93 Office of Inspector General\n\nCPSC continued to make improvements in its investment management processes during FY 2011 and\nthrough the date of our fieldwork, demonstrating execution of an additional 15 of the 38 Stage 2 key\npractices since our last report in August 2012. Because ITIM maturity stages are cumulative where each\nstage is dependent upon completion of the previous stage, CPSC has not been able to fully implement all\nthe Stage 2 critical processes and key practices.\n\nAs a result of these and other activities, we have concluded that CPSC has reached Stage 1 of the five-\nstage ITIM model as defined by the GAO. CPSC has implemented almost all of the key practices and\ncritical processes that constitute Stage 2, and many of those in Stage 3.\n\nWithout adequate ITIM practices and procedures in place, CPSC may not be able to minimize risk and\nmaximize investment return and thus it increases the chances that investments may not meet mission\nneeds in the most cost-effective and efficient manner.\n\nObservations on Stage 3\nAlthough CPSC has not achieved Stage 2, during our fieldwork, we did perform some preliminary\nanalysis of Stage 3 for the purposes of developing additional recommendations and to lay the foundation\nof gathering evidence for an analysis of Stage 3. Based on this limited work, once Stage 2 is achieved,\nwe believe CPSC will be able to demonstrate significant progress toward achieving Stage 3. However,\nbecause of the cumulative nature of the ITIM maturity framework, we did not perform a complete analysis\nof Stage 3 since Stage 2 had not been achieved. Therefore, we are not proposing a detailed roadmap for\nachieving Stage 3 at this time.\n\nAdditionally, it would be premature to perform an analysis of or propose a roadmap for Stages 4 and 5.\nGAO research has shown that agency efforts to improve investment management capabilities should\nfocus on implementing all lower stage practices before addressing the higher stage practices.\n\nRecommendation\n\nIn order to ensure the remaining Stage 2 key practices and critical processes are executed timely and\nCPSC\xe2\x80\x99s investment management capability is strengthened, we recommend the Chairman of the\nConsumer Product Safety Commission direct the Chief Information Officer:\n\n        1. Establish procedures to ensure that users participate in project management throughout an\n           IT project\xe2\x80\x99s life cycle for all major investments. We recommend that CPSC provide additional\n           resources to enable formation of an IPT or designated liaison within the program area to\n           facilitate understanding of business needs for all projects within the Infrastructure and CIS\n           investments. Internal user signoffs should be formally documented to evidence participation\n           of the user departments.\n\n        2. Establish periodic business alignment review discussion for ongoing IT projects as part of\n           regular IRB operations (from Management\xe2\x80\x99s self assessment).\n\n\nWe appreciate the cooperation and courtesies that CPSC personnel extended to us during this audit.\n\n\nSincerely,\n\n\n\n\n                                                   5\n\x0c                                          Prepared by WithumSmith+Brown PC\n       For the Consumer Product Safety Commission \xe2\x80\x93 Office of Inspector General\n\n\n\n\nAppendices\n\n\n\n\n                                 6\n\x0c                                                        Prepared by WithumSmith+Brown PC\n                     For the Consumer Product Safety Commission \xe2\x80\x93 Office of Inspector General\n\n\n                                                                                       Appendix A\nBackground\n\nThe Consumer Product Safety Commission was created in 1972 as an Independent Federal Regulatory\nAgency, whose mission is to protect the public from unreasonable risks of serious injury or death from\nthousands of types of consumer products under the agency\xe2\x80\x99s jurisdiction. CPSC has jurisdiction over\nmore than 15,000 kinds of consumer products. CPSC recalls products that present a significant risk to\nconsumers either because the product may be defective or violates a mandatory standard issued by\nCPSC.\n\nCPSC is headed by five Commissioners, one of which serves as Chairman of the Commission, who are\nassisted by an Executive Director and various other executive officials, including a Chief Information\nOfficer (Director of Technology Services), and a Chief Financial Officer (Director of Financial\nManagement, Planning, and Evaluation). CPSC, with approximately 500 employees, is headquartered in\nBethesda, Maryland and has laboratories in Rockville, Maryland, as well as about 100 investigators,\ncompliance officers, and consumer information specialists spread throughout the country.\n\nThe Consumer Product Safety Improvement Act of 2008 requires, that \xe2\x80\x9cthe Inspector General of the\nCommission \xe2\x80\x9cconduct reviews and audits to assess . . .the Commission\xe2\x80\x99s capital improvement efforts,\nincluding improvements and upgrades of the Commission\xe2\x80\x99s information technology architecture and\nsystems and the development of the database of publicly available information on incidents involving\ninjury or death.\xe2\x80\x9d\n\n\n\n\n                                                  7\n\x0c                                                        Prepared by WithumSmith+Brown PC\n                     For the Consumer Product Safety Commission \xe2\x80\x93 Office of Inspector General\n\n\n                                                                                         Appendix B\nObjectives, Scope, Methodology, and Criteria\n\nObjectives\n\nThe objectives of our audit were to determine which of the five stages ITIM maturity most accurately\ndescribes CPSC\xe2\x80\x99s ITIM framework; conduct a rigorous evaluation of the CPSC\xe2\x80\x99s IT investment\nmanagement process; report the results of our assessment that can be easily understood; and develop\nrecommendations for CPSC for improving it process.\n\n\nScope\nWe conducted this performance audit in accordance with generally accepted government auditing\nstandards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our audit objectives.\nWe believe that the evidence obtained provided a reasonable basis for our findings and conclusions\nbased on our audit objectives. We conducted our fieldwork at the CPSC Headquarters in Bethesda,\nMaryland between September 2011 and July 2012.\n\nOur performance audit was not designed to, and we did not, perform a financial audit of the amounts\nobligated or expended by CPSC.\n\nThis performance audit did not constitute an audit of financial statements in accordance with Government\nAuditing Standards. WS+B was not engaged to, and did not, render an opinion on CPSC\xe2\x80\x99s internal\ncontrols over financial reporting or over financial management systems (for purposes of OMB\xe2\x80\x99s Circular\nNo. A-127, Financial Management Systems). WS+B cautions that projecting the results of our evaluation\nto future periods is subject to the risks that controls may become inadequate because of changes in\nconditions or because compliance with controls may deteriorate.\n\n\nMethodology\n\nTo accomplish our audit objectives, we obtained an understanding of the Consumer Product Safety\nImprovement Act of 2008, which requires the Inspector General of CPSC to conduct reviews and audits\nto assess CPSC\xe2\x80\x99s capital improvement efforts including the IT architecture and systems. We also\nreviewed GAO\xe2\x80\x99s ITIM Framework for Assessing and Improving Process Maturity. We conducted\ninterviews with CPSC officials from the Office of Information and Technology Services and performed a\nwalkthrough of the relevant processes.        Further, we reviewed CPSC investment management\ndocumentation, agency information, budgets, and other relevant documents. We judgmentally selected\ncertain key processes for testing, and evaluated the audit evidnce supporting the execution of the key\nprocess.\n\nA performance audit includes gaining an understanding of internal controls considered significant to the\naudit objectives, testing controls, and testing compliance with significant laws, regulations, and other\nrequirements. For this assignment, CPSC\xe2\x80\x99s IT investment management controls were considered the\nspecific internal controls to ensure the process works effectively. We evaluated those controls\naccordingly to determine how well they contribute to carrying out the IT investment management process\nmodel.\n\n\n\n\n                                                   8\n\x0c                                                         Prepared by WithumSmith+Brown PC\n                      For the Consumer Product Safety Commission \xe2\x80\x93 Office of Inspector General\n\n                                                                            Appendix B (cont.)\n\nObjectives, Scope, Methodology, and Criteria\n\nCriteria\n\nWe used the following criteria to accomplish our audit:\n\n\xef\x82\xb7   Consumer Product Safety Improvement Act of 2008\n\n\xef\x82\xb7   GAO\xe2\x80\x99s Information Technology Investment Management (ITIM): A Framework for Assessing and\n    Improving Process Maturity (GAO-04-394G)\n\n\xef\x82\xb7   Office of Management and Budget (OMB) Circular A-11\n\n\xef\x82\xb7   OMB Circular A-130 Revised, \xe2\x80\x9cManagement of Federal Information Resources\xe2\x80\x9d.\n\n\xef\x82\xb7   OMB Circular A-123, \xe2\x80\x9cManagement Accountability and Control\xe2\x80\x9d\n\n\n\n\n                                                     9\n\x0c                                                     Prepared by WithumSmith+Brown PC\n                  For the Consumer Product Safety Commission \xe2\x80\x93 Office of Inspector General\n\n                                                                             Appendix C\n\nAcronyms and Abbreviations\n\n\nCPIC                Capital Planning and Investment Control\n\nCPSC                Consumer Product Safety Commission\n\nCPSIA               Consumer Product Safety Improvement Act of 2008\n\nCPSRMS              Consumer Product Safety Risk Management System\n\nEA                  Enterprise Architecture\n\nEVM                 Earned Value Management\n\nGAO                 Government Accountability Office\n\nIPT                 Integrated Project Team\n\nIT                  Information Technology\n\nITDS                International Trade Data System\n\nITIM                Information Technology Investment Management\n\nIRB                 Investment Review Board\n\nOIG                 Office of Inspector General\n\nOMB                 Office of Management and Budget\n\n\n\n\n                                                  10\n\x0c                                                        Prepared by WithumSmith+Brown PC\n                     For the Consumer Product Safety Commission \xe2\x80\x93 Office of Inspector General\n\n                                                                                            Appendix D\nConsumer Product Safety Commission Response\n\n   CPSC staff has reviewed the Performance Audit: Information Technology Investment\n   Management (ITIM) Assessment Notification of Findings and Recommendations (NFR) dated\n   July 26, 2012, and appreciates the acknowledgement of its accomplishments over the past year, as\n   well as the recommendations for improvement in the year ahead.\n\n   The Commission has been working diligently to further mature its ITIM processes and has begun\n   addressing deficiencies associated with the specific recommendations contained in the NFR:\n\n       1. Establish procedures to ensure that users participate in project management throughout an\n          IT project\xe2\x80\x99s life cycle for all major investments.\n\n   CPSC staff has updated its systems development lifecycle (SDLC) guide to further require\n   projects to involve business users throughout the system lifecycle, from initiation phase into\n   operations and maintenance, and through disposition. The acknowledgement of a need for an\n   integrated project team (IPT) has been adopted into standard operating procedures. Business\n   users, including project leads or other stakeholders, now have full transparency into the projects\n   by receiving periodic status.\n\n   Currently, all projects require business users to participate in the project lifecycle events\n   including initiation and business goal definition. Business representatives routinely partake in\n   tactical design reviews and UAT, which demonstrate how business needs map to functional and\n   nonfunctional requirement specifications. In the instance of projects on the CIS investment, users\n   define needs to transition to the new solution; prioritize and validate requirements; provide input\n   regarding the \xe2\x80\x9cbundling\xe2\x80\x9d of functionality; and approve and sign-off on requirements and project\n   completion.\n\n   In order to further bolster user participation and ensure business user requirements are reflected in\n   smaller, more tactical projects found in the Infrastructure investment (such as, networking\n   hardware implementation and acquisitions of network switches), CPSC staff will modify its\n   project initiation form to include a project health checkpoint and a project closeout component.\n   The Project Management Office (PMO) will oversee adherence to the process and report to IT\n   Management and the Investment Review Board (IRB) user involvement throughout the project\n   lifecycle.\n\n       2. Establish periodic business alignment review discussion for ongoing IT projects as part of\n          regular IRB operations.\n\n   CPSC staff holds weekly project portfolio intake reviews where IT Management weighs the\n   portfolio of work against stated business objectives and resources, thus supporting the IRB in\n   effectively managing information technology as a strategic resource and business process enabler.\n\n   In order to mature this practice even further, CPSC staff will modify its project dashboard to\n   include notations on the IT project\xe2\x80\x99s alignment to CPSC\xe2\x80\x99s business needs. The dashboard is\n   provided to IRB members for their regularly scheduled meetings, and an agenda item will be\n   added with dedicated time to review and discuss whether the projects are in alignment or if\n   modifications to the portfolio are appropriate.\n\n\n                                                    11\n\x0c'